Apple patches 21 Mac OS X vulnerabilities
Updates Flash Player plug-in, tackles CoreTypes for the third time this year
Security Update 2008-008, which was released today as part of a broader refresh of Mac OS X 10.5, a.k.a. Leopard, and available separately for users of Mac OS X 10.4, known as Tiger, quashes bugs in Apple Type Services, the CoreGraphics rendering component, the kernel, LibSystem and other pieces of the operating system.
At least half a dozen of the patches were tagged by Apple with its usual "arbitrary code execution" phrasing, a sign that the vulnerabilities are serious and, if exploited, could result in a hacker hijacking a machine.
While all 21 of the vulnerabilities affect Leopard, which was updated to Version 10.5.6, only 15 of them affect Tiger, Apple's oldest still-supported operating system.
Apple also updated the Flash Player plug-in it ships with Mac OS X to bring the software in line with the versions Adobe rolled out Nov. 5 and Nov. 17. Although Adobe updated Flash for all users, including those with Macs, and made the new versions available for downloading, Apple includes the fixes in its own operating system updates because it bundles the plug-in with all of its computers.
"The issues are addressed by updating the Flash Player plug-in to version 188.8.131.52," said Apple in the security advisory that accompanied today's patches. These fixes will be moot for users who have already updated to Flash Player 10 on their own, however.
Other vulnerabilities that Apple patched today plug holes that could lead to everything from a denial of service or unintentional disclosure of private information to an unexpected system shutdown or access to the Podcast Producer component of Apple's server software.
Several of the patches address bugs that could be exploited through a browser, including two fixes to CoreGraphics and one to CoreTypes. Hackers could exploit one of the two CoreGraphics vulnerabilities with a malformed image file, while the second -- which could conceivably result in the hijacking of user credentials -- could be exploited simply by duping users into visiting a malicious Web site.
Apple also patched CoreTypes to block additional file types from being opened after a user downloads them. Safari, for example, relies on the component's Download Validation function to warn users against opening dangerous or risky file types. "This update adds to the list of potentially unsafe types," said Apple's advisory. "It adds the content type for files that have executable permissions and no specific application association. These files are potentially unsafe as they will launch in Terminal and their content will be executed as commands."
CoreType's Download Validation feature had already been patched twice this year. Apple added more file types to the warning list in both the May 2008-003 update and June's 2008-004, when it patched 40 flaws and 25 bugs, respectively.
Security Update 2008-008 can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately on the latter; those patches were rolled into the Mac OS X 10.5.6 upgrade also released today.
The security update alone weighs in at a 133MB download, while the combination Mac OS X 10.5.6/2008-008 is even heftier, at 372MB.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts